[strongSwan] ikev2 smartcard support
Martin Willi
martin at strongswan.org
Thu Dec 2 11:15:33 CET 2010
Hi Peter,
> I'm trying to get smartcard support to work with the NetworkManager
> something seems to be missconfigured.
> found key on PKCS#11 token 'openSC':1
> using smartcard certificate 'winterer at informatik.test.de'
> initiating IKE_SA Mobile Pools Crypto Stick[1] to 10.1.0.2
The NetworkManager plugin currently has no option to specify the client
identity, it just picks one from the first certificate usable (see [1]
for details).
As I usually prefer subjectAltNames over complicated Distinguished
Names, it picks the first E-Mail subjectAltName as identity.
We could add an option to select a specific subjectAltName (or the DN),
but this requires some amount of work.
> looking for peer configs matching
> 10.1.0.2[C=DE, O=MoPo WLAN Test, CN=vpn-mopo.vpn.test.de]...
> 10.206.3.148[winterer at informatik.test.de]
> no matching peer config found
> conn rw2-intern
> rightid="C=DE, O=MoPo WLAN Test, CN=*"
This config won't match, it uses the full DN.
> conn mopo-sc-intern
> rightid=@informatik.test.de
Have you tried "*@informatik.test.de"?
Regards
Martin
More information about the Users
mailing list